Bug 915788
| Summary: | Document IP tables firewall requirements for all components. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Ofer Blaut <oblaut> | ||||
| Component: | doc-Getting_Started_Guide | Assignee: | Stephen Gordon <sgordon> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | ecs-bugs | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 2.0 (Folsom) | CC: | breeler, chrisw, gkotton, rkukura, sgordon, ykaul | ||||
| Target Milestone: | rc | Keywords: | Documentation, Triaged | ||||
| Target Release: | 2.1 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Red_Hat_OpenStack-Getting_Started_Guide-2-web-en-US-1.0-30.el6eng | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-04-11 06:58:19 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Moving this to GSG, if we want to release note in the interim (or even in conjunction) we can still set "Doc Type": "Release Note" and set "Doc Text". The following rules needs to be added on the host that is running the quantum service: -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 quantum incoming" -j ACCEPT In honesty this is a much wider problem with the manual steps in the GSG than just this chapter. We don't currently have iptables info for any of the components. Apparently these are the rules added by packstack in an "all in one" configuration. Obviously for multi-node these would be spread across multiple hosts: -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5900:5999 -m comment --comment "001 nove compute incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 873 -m comment --comment "001 rsync incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT *** Bug 923392 has been marked as a duplicate of this bug. *** commit 09f432cfa48dbbab3027071f29517c21df4414e8
Author: Stephen Gordon <sgordon>
Date: Mon Mar 25 13:23:31 2013 -0400
BZ#915788 - Added basic firewall configuration for each service.
Added basic firewall configuration steps to allow incoming
connections for each service. Moved part of the swift chapter
in the process because the procedure I was adding to was using
authentication details that had not been configured yet.
Change-Id: Ie7b10dc2f3dc5eec00b5960a95af5d1fffae3665
I added steps inline to the manual deployment instructions for adding rules based on the list in comment # 8 plus the one for Quantum (although it's unclear from Gary's comment whether this needs to be done just on the network node or every node with OVS/L3/DHCP agent). I also ensured that where we configure QPID the rule for it is documented. The main one that is "missing" at this point is: -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming" -j ACCEPT The reason I omitted this is that all of our manual database configuration steps use openstack-db --init which doesn't actually handle remote databases at all. I filed an RFE for this but at this stage our instructions are pretty much tied to having multiple MySQL servers (one per component) that don't talk to each other. I think this is a bigger issue than "just" iptables that needs to be resolved under bug # 910873. Port 9696 for quantum only needs to be open on the node(s) running quantum-server. (In reply to comment #12) > Port 9696 for quantum only needs to be open on the node(s) running > quantum-server. Reading the change that appears to be what was implemented. checked "Allow incoming connections to OpenStack Networking by adding this firewall rule to the /etc/sysconfig/iptables configuration file: -A INPUT -p tcp -m multiport --dports 9696 -j ACCEPT" |
Created attachment 702872 [details] compute-log on addtional node Description of problem: When working with one controller and addtional compute node ( iptables is enabled ) the compute node will fail comunicate with quantum server. upon stoping iptables on the controller vm will launch . attached logs Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. setup of one controller with compute node and addtional compute node ( quantum) 2. lanuch VMs . VM will fail to launch on the additonal compute node 3. stoping iptables on the controller will enabled the VMs to be launched Actual results: iptabled on controller must be updated to accept connection via quantum Expected results: Additional info: